DarthMiner Strikes Mac Empire

14 December 2018

Researchers at Malwarebytes has uncovered another malware destroying the perception that Macs are naturally secure and robust enough to defend against the dark side. What researchers discovered is a malware targeting Mac systems that is fundamentally a combination of two open-source programs. The first being a backdoor and the second been a crypto miner. The malware has been named DarthMiner and if infected will definitely turn your system away from the light side.

In the article published by Malwarebytes, it would seem that DarthMiner is distributed via a compromised application called Adobe Zii, which is marketed as an app which assists in the pirating of Adobe products. Rather the application does nothing of the sort, a fact hinted at by the use of a generic Automator applet icon. One would normally expect an app such as this to at least use a stolen Adobe Creative Cloud logo. If not an application to assist in piracy what does it in fact do? The fake application was designed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, which appears to be a version of Adobe Zii, most likely to hide the malicious activity.

Interestingly the obfuscated Python script looks for the presence of Little Snitch, which is a host-based firewall for macOS. Generally, it can be used to monitor applications, preventing or permitting them to connect to an attached network through a set of advanced rules. If Little Snitch is detected the infection process is stopped. Regardless of the malware stopping the process if the tool is found, researchers contend that the firewall would have already blocked the script’s download attempts. If no instance of Little Snitch is detected the malware proceeds to the next stage of its infection chain.

The next step is the installation of the EmPyre backdoor, the first of the open source programs used by the authors of DarthMiner. The backdoor is then able to execute arbitrary commands on the infected Mac. This enables the backdoor to then download a script that fetches and installs the other components of the malware. Further, a launch agent is also created to ensure persistence. This is then followed by the installation of the second open source program, the XMRig crypto miner. This too will create a launch argent which is designed to keep the XMRig process running.

Analysis of the script further revealed code which is designed to download and install a root certificate for the mitmproxy tool, which can intercept web traffic, including encrypted traffic. The code, however, has been commented out, meaning that it is not active in the observed malware. This perhaps illustrates the next evolution of the malware. It may be thought that the script itself causes little harm by just running a crypto miner but the fact that the infected Mac is now backdoored allows attackers to send arbitrary commands and potentially other strains of malware. DarthMiner also highlights another danger. That of software piracy and the high risks it poses to users. Meaning, sometimes users looking to pirate software may be getting far more than they intended.

EmPyre Chinks Mac Armour

This is not the first time, nor the last, that the EmPyre backdoor is used to gain privileged access to Mac systems. The tool was developed by the Empre Project and is available for download of Github, it was originally intended for penetration testing. As with most things good intentions mean very little and the tool has been co-opted by malware authors to hack into what many still believe are secure platforms.

While the backdoor is capable of allowing hackers access to a Mac system it is what can be done after. In the above instance of DarthMiner, a crypto miner is installed with the potential to further install the mitmproxy tool. This too is not the first time the XMRig crypto miner has been seen infecting Macs. In May 2018 reports began to surface that a process, called mshelper, was hiding XMRig. Initially, users began posting their findings on Apple forums which led researchers from Malwarebytes to investigate. The researchers reported that the process was indeed hiding the crypto miner and that it likely been distributed via a fake Adobe Flash Player or downloads from unofficial sites. Thomas Reed the senior researcher concluded that,

“Mac cryptomining malware has been on the rise recently, just as in the Windows world. This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a crypto miner than some other kind of malware, but that doesn’t make it a good thing,”

While malware strains attacking Mac systems are far less common than their Windows cousins the belief that they are somehow immune to infection still persists. AV-Comparatives, an independent lad which specializes in testing security products, did their own security tests on a Mac. In the resultant article they pointed out that Macs do ship with a number of anti-malware capabilities but also said,

“Despite the built-in capabilities, some security experts recommend strengthening the defenses by adding in a third-party antivirus package. There are many good reasons for this. Firstly, the approach taken by Apple might be adequate for well-established malware but might not respond quickly enough to emerging threats. Secondly, you might want a broader base of malware evaluation.”

The lab also concluded that,

“Experienced and responsible Mac users who are careful about which programs they install, and which sources they obtain them from, may well argue – very reasonably – that they are not at risk from Mac malware. However, we feel that non-expert users, children, and users who frequently like to experiment with new software, could definitely benefit from having security software on their Mac systems, in addition to the security features provided by the Mac OS itself. Readers who are concerned that third-party security software will slow their Mac down can be reassured that we considered this in our test; we did not observe any significant performance reduction during daily operations with any of the programs reviewed.”